CVE-2026-3774
Published: 01 April 2026
Summary
CVE-2026-3774 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Foxit Pdf Editor. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific flaw in Foxit PDF software's handling of JavaScript and print actions during redaction, encryption, and printing by applying vendor patches.
Prohibits or restricts execution of mobile code like PDF JavaScript that can update form fields, annotations, or OCGs to evade sanitization processes.
Mandates secure configuration settings for PDF software, such as disabling JavaScript, to block script-driven content changes during sensitive document workflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables delivery and user execution of a malicious PDF file containing JavaScript that abuses WillPrint/DidPrint actions to bypass redaction/encryption logic and leak sensitive content.
NVD Description
The application allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing redaction,…
more
encryption, and printing logic, which, under specific document structures and user workflows, may cause a small amount of sensitive content to remain unremoved or unencrypted as expected, or result in printed output that slightly differs from what was reviewed on screen.
Deeper analysisAI
CVE-2026-3774 is a vulnerability in Foxit PDF software that arises from inadequate handling of PDF JavaScript and document/print actions, such as WillPrint and DidPrint. These actions can update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing processes. The existing redaction, encryption, and printing logic does not fully account for these script-driven updates, potentially allowing a small amount of sensitive content to remain unremoved or unencrypted under specific document structures and user workflows, or causing printed output to differ slightly from the on-screen preview.
Exploitation requires local access (AV:L) with high attack complexity (AC:H), no privileges (PR:N), and user interaction (UI:R), resulting in high confidentiality impact (C:H) without affecting integrity or availability, as scored at CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). An attacker could craft a malicious PDF document that, when processed by a victim using the affected software for redaction, encryption, or printing, leverages JavaScript or print actions to expose limited sensitive information that evades sanitization.
Foxit security bulletins at https://www.foxit.com/support/security-bulletins.html provide details on advisories and patches for mitigation. Security practitioners should consult this page for version-specific updates and apply patches promptly to address the gap in script handling during document processing workflows.
Details
- CWE(s)